Malware/Virus Infection - Please Help

View previous topic View next topic Go down

Malware/Virus Infection - Please Help

Post by pdubb15 on 7th January 2010, 7:20 am

Hello my names Pat and my laptop is severely infected and possibly corrupted because of a virus. The initial virus that I found on my system was "Malware Defence". It is a type of scareware and foolishly I downloaded it, thinking it was part of Microsoft Security Essentials. I had "Malwarebytes" already installed on my system, however the virus would not allow me to open the program so that I could scan.

After following detailed instructions from Bleepingcomputer.com on how to remove this exact virus I was able to run Malwarebytes and the scan showed numerous infections. This is the scan log of the viruses I first removed, including the Malware Defence Bug:

Malwarebytes' Anti-Malware 1.43
Database version: 3499
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/6/2010 2:19:27 AM
mbam-log-2010-01-06 (02-19-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 197530
Time elapsed: 39 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\settdebugx.exe (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\pdubb\Local Settings\Temp\settdebugx.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> No action taken.
C:\Documents and Settings\pdubb\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.

After I restarted my computer I was newly aware of a virus the cause random sounds to start playing with or without my browser running. This is still a problem going on. Randomly now I will not be able to open a program unless I do a restart, however sometimes when I do a restart I get a blue screen telling me to contact a systems administrator and so I flush it out by taking out my laptop battery. Microsoft Security Essentials will only be working on random reboots.

I tried running Malwarebytes again, and the scan picked up two trojans which it said it would delete after a restart. When I tried to restart I got the blue screen and so I figure it is something much deeper.

Here is the HiJackThis Log that you have requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:03 AM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdpcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe
C:\Program Files\Lexmark Z2300 Series\ezprint.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pdubb\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080518
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080518
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [lxdpmon.exe] "C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark Z2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxdpCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdpserv.exe
O23 - Service: lxdp_device - - C:\WINDOWS\system32\lxdpcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9469 bytes

If there is anymore information that you need please do not hesitate. Thank you in advance for your time, and help!

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 7th January 2010, 1:52 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 7th January 2010, 6:21 pm

Here is the copy of the "Quick Scan" Log.
When I restarted it booted up as normal except for it brought me to a black screen first and asked if I wanted to restart with "Windows XP Home Edition", or "Windows XP Setup". This happened previously too.

Malwarebytes' Anti-Malware 1.43
Database version: 3499
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/7/2010 11:14:28 AM
mbam-log-2010-01-07 (11-14-28).txt

Scan type: Quick Scan
Objects scanned: 115260
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 7th January 2010, 9:01 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 8th January 2010, 12:43 am

The only probelm I encountered while running the steps was that after I installed the program and it began to scan it said something like A Rootkit Activity has been found and ComboFix needs to restart the computer. It told me to write down these files and said it may need them later:

C:\WINDOWS\system32\drivers\H8SRTmdrqbakwq.sys
C:\\WINDOWS\system32\H8SRTmuoxnnfsco.dll
C:\\WINDOWS\system32\H8RSTxpmgmmgefm.dat
C:\\WINDOWS\system32\H8RSTcjhcrwjtkm.dll
C:\\WINDOWS\system32\H8RSTesctchsati.dll

Lastly here is the log you have requested:

ComboFix 10-01-04.01 - pdubb 01/07/2010 17:08:28.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1444 [GMT -7:00]
Running from: c:\documents and settings\pdubb\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\H8SRTmdrqbakvvq.sys
c:\windows\system32\H8SRTcjhcrwjtkm.dll
c:\windows\system32\H8SRTesctchsati.dll
c:\windows\system32\H8SRTmuoxnnfsco.dll
c:\windows\system32\H8SRTxpmgmmgefm.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-07 18:18 . 2010-01-07 18:18 863 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-07 03:40 . 2010-01-07 05:47 -------- d-----w- c:\documents and settings\pdubb\Application Data\vlc
2010-01-07 03:38 . 2010-01-07 03:38 -------- d-----w- c:\program files\VideoLAN
2010-01-06 09:42 . 2010-01-06 09:42 -------- d-----w- C:\$WIN_NT$.~BT
2010-01-06 09:20 . 2010-01-06 09:20 54016 ----a-w- c:\windows\system32\drivers\rbwimk.sys
2010-01-06 02:10 . 2010-01-06 02:10 -------- d-----w- c:\program files\Easy Uninstaller
2010-01-04 08:11 . 2010-01-04 08:11 -------- d-----w- c:\program files\uTorrent
2010-01-04 08:11 . 2010-01-06 00:42 -------- d-----w- c:\documents and settings\pdubb\Application Data\uTorrent
2009-12-30 06:35 . 2010-01-06 01:38 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-12-30 06:26 . 2009-12-30 06:26 -------- d-----w- c:\documents and settings\pdubb\Application Data\Uniblue
2009-12-30 06:06 . 2009-11-03 03:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-30 06:00 . 2009-12-30 06:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-28 21:34 . 2009-12-28 21:34 -------- d-----w- c:\documents and settings\pdubb\Application Data\ArcSoft
2009-12-22 01:47 . 2009-12-22 01:47 -------- d-----w- c:\documents and settings\pdubb\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 09:21 . 2009-08-06 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 01:22 . 2008-05-28 16:35 76568 -c--a-w- c:\documents and settings\pdubb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 01:17 . 2009-10-18 06:12 -------- d-----w- c:\documents and settings\pdubb\Application Data\Skype
2010-01-05 23:05 . 2009-10-18 06:14 -------- d-----w- c:\documents and settings\pdubb\Application Data\skypePM
2010-01-04 19:03 . 2008-06-05 02:50 -------- d-----w- c:\documents and settings\pdubb\Application Data\LimeWire
2009-12-30 21:55 . 2009-08-06 04:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 21:54 . 2009-08-06 04:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 02:40 . 2008-06-20 02:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-25 07:34 . 2008-05-18 20:05 65723 ----a-w- c:\windows\system32\nvModes.dat
2009-12-24 09:53 . 2008-06-02 08:53 4244 ----a-w- c:\documents and settings\pdubb\Application Data\wklnhst.dat
2009-12-09 17:55 . 2008-11-25 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-08 04:33 . 2009-08-06 04:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-29 20:05 . 2009-03-29 01:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-22 06:42 . 2009-05-29 04:24 -------- d-----w- c:\program files\DivX
2009-11-22 06:41 . 2009-11-22 06:41 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-17 07:15 . 2009-11-17 07:15 62048 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-17 07:13 . 2009-11-17 07:13 -------- d-----w- c:\program files\epw_battle_guru_v1_0_1
2009-11-17 07:11 . 2009-11-17 07:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:46 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-25 03:33 . 2009-10-25 03:10 34807 ----a-w- c:\windows\scunin.dat
2009-10-25 03:33 . 2009-10-25 03:10 967 ----a-w- c:\windows\ScUnin.pif
2009-10-25 03:33 . 2009-10-25 03:10 70656 ----a-w- c:\windows\ScUnin.exe
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 06:14 . 2009-10-18 06:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-30 8491008]
"nwiz"="nwiz.exe" [2008-03-30 1626112]
"NVHotkey"="nvHotkey.dll" [2008-03-30 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-30 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 136600]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2007-12-07 656040]
"EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2007-12-07 107176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-29 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-18 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/26/2009 1:31 PM 64160]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [10/23/2009 11:05 PM 15172]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1028432]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/4/2008 8:40 PM 24652]
S0 yowga;yowga;c:\windows\system32\drivers\xbinwoss.sys --> c:\windows\system32\drivers\xbinwoss.sys [?]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [9/9/2008 4:19 PM 98984]
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:05]

2009-11-22 c:\windows\Tasks\Install_NSS.job
- c:\program files\DivX\Symantec\scstubinstaller.exe [2009-11-14 00:49]

2010-01-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-03 00:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\pdubb\Application Data\Mozilla\Firefox\Profiles\jrjopaya.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\pdubb\Application Data\Mozilla\Firefox\Profiles\jrjopaya.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\echospin\npesProxy.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, false);.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-07 17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3448241640-29416961-2238731732-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdpcoms.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-01-07 17:35:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 00:35

Pre-Run: 60,707,524,608 bytes free
Post-Run: 61,091,323,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"

- - End Of File - - D652B2FD93B41D8265B940D6785FB35C

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 8th January 2010, 12:46 am

Thanks. I already knew there was a rootkit present, but thanks anyway. Smile Before we can finish this up, I need one more log.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 8th January 2010, 2:26 am

Here you go:

µTorrent
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
Broadcom Management Programs
Browser Address Error Redirector
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Support Center (Support Software)
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
Easy Uninstaller
Echospin Delivery Wizard
EPW Battle Guru v1.2 - New!
EPW Battle Guru v1.2 - New!
FL Studio 8
Free YouTube to Mp3 Converter version 3.1
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
IntelliSonic Speech Enhancement
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Lexmark Z2300 Series
LimeWire 5.2.13
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
Microsoft Works
Modem Diagnostic Tool
Mozilla Firefox (3.0.17)
MSXML 6.0 Parser (KB933579)
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
QuickSet
QuickTime
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skype web features
Skype™ 4.1
Sonic CinePlayer Decoder Pack
Starcraft
System Requirements Lab
The Matrix Online
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb976884)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VGA USB Camera
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.3
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Zune
Zune
Zune Desktop Theme
Zune Language Pack (ES)
Zune Language Pack (FR)

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 8th January 2010, 2:31 am

Also are you able to tell whether or not the rootkit is gone?

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 8th January 2010, 10:38 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 11
    Java(TM) 6 Update 4
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    LimeWire 5.2.13
    Viewpoint Media Player

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\krl32mainweq.dll
    c:\windows\system32\drivers\rbwimk.sys

    Driver::
    yowga

    DDS::
    uStart Page = about:blank

    Firefox::
    FF - ProfilePath - c:\documents and settings\pdubb\Application Data\Mozilla\Firefox\Profiles\jrjopaya.default\
    FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
    FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

    RegLock::
    [HKEY_USERS\S-1-5-21-3448241640-29416961-2238731732-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 12th January 2010, 6:26 pm

Sorry for the late reply. I have been out of town. I did what you asked, but as Combofix began to run it said it was expired and would run in "Reduced Functionality Mode." Is that what you want me to do?

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 12th January 2010, 7:02 pm

No, if that alert show, delete your copy of Combofix you have now, and download a new copy, then try again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 12th January 2010, 7:48 pm

okay i downloaded a new copy and did everything the way asked:

ComboFix 10-01-12.02 - pdubb 01/12/2010 12:27:03.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1388 [GMT -7:00]
Running from: c:\documents and settings\pdubb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pdubb\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\drivers\rbwimk.sys"
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\rbwimk.sys
c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_yowga


((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-09 00:10 . 2010-01-12 19:24 -------- d-----w- c:\program files\PeerGuardian2
2010-01-07 03:40 . 2010-01-12 04:31 -------- d-----w- c:\documents and settings\pdubb\Application Data\vlc
2010-01-07 03:38 . 2010-01-07 03:38 -------- d-----w- c:\program files\VideoLAN
2010-01-06 09:42 . 2010-01-06 09:42 -------- d-----w- C:\$WIN_NT$.~BT
2010-01-04 08:11 . 2010-01-12 18:08 -------- d-----w- c:\documents and settings\pdubb\Application Data\uTorrent
2009-12-30 06:35 . 2010-01-06 01:38 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-12-30 06:26 . 2009-12-30 06:26 -------- d-----w- c:\documents and settings\pdubb\Application Data\Uniblue
2009-12-30 06:06 . 2009-11-03 03:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-30 06:00 . 2009-12-30 06:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-28 21:34 . 2009-12-28 21:34 -------- d-----w- c:\documents and settings\pdubb\Application Data\ArcSoft
2009-12-22 01:47 . 2009-12-22 01:47 -------- d-----w- c:\documents and settings\pdubb\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 18:17 . 2008-06-05 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-12 18:17 . 2008-06-05 02:50 -------- d-----w- c:\program files\LimeWire
2010-01-12 18:14 . 2008-05-18 20:20 -------- d-----w- c:\program files\Java
2010-01-12 18:11 . 2008-06-05 02:50 -------- d-----w- c:\documents and settings\pdubb\Application Data\LimeWire
2010-01-11 08:31 . 2008-06-02 08:53 4366 ----a-w- c:\documents and settings\pdubb\Application Data\wklnhst.dat
2010-01-10 21:56 . 2009-10-18 06:12 -------- d-----w- c:\documents and settings\pdubb\Application Data\Skype
2010-01-10 19:08 . 2009-10-18 06:14 -------- d-----w- c:\documents and settings\pdubb\Application Data\skypePM
2010-01-08 21:08 . 2008-05-18 20:05 65723 ----a-w- c:\windows\system32\nvModes.dat
2010-01-06 09:21 . 2009-08-06 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 01:22 . 2008-05-28 16:35 76568 -c--a-w- c:\documents and settings\pdubb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 21:55 . 2009-08-06 04:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 21:54 . 2009-08-06 04:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 02:40 . 2008-06-20 02:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-09 17:55 . 2008-11-25 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-08 04:33 . 2009-08-06 04:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-29 20:05 . 2009-03-29 01:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-22 06:42 . 2009-05-29 04:24 -------- d-----w- c:\program files\DivX
2009-11-22 06:41 . 2009-11-22 06:41 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-17 07:15 . 2009-11-17 07:15 62048 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-17 07:11 . 2009-11-17 07:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:46 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-25 03:33 . 2009-10-25 03:10 34807 ----a-w- c:\windows\scunin.dat
2009-10-25 03:33 . 2009-10-25 03:10 967 ----a-w- c:\windows\ScUnin.pif
2009-10-25 03:33 . 2009-10-25 03:10 70656 ----a-w- c:\windows\ScUnin.exe
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 06:14 . 2009-10-18 06:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-30 8491008]
"nwiz"="nwiz.exe" [2008-03-30 1626112]
"NVHotkey"="nvHotkey.dll" [2008-03-30 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-30 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2007-12-07 656040]
"EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2007-12-07 107176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-29 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-18 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/26/2009 1:31 PM 64160]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [10/23/2009 11:05 PM 15172]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1028432]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [9/9/2008 4:19 PM 98984]
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:05]

2010-01-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-03 00:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\pdubb\Application Data\Mozilla\Firefox\Profiles\jrjopaya.default\
FF - component: c:\documents and settings\pdubb\Application Data\Mozilla\Firefox\Profiles\jrjopaya.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\echospin\npesProxy.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, false);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-12 12:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\lxdpcoms.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-01-12 12:45:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 19:45
ComboFix2.txt 2010-01-08 00:35

Pre-Run: 56,798,310,400 bytes free
Post-Run: 56,914,583,552 bytes free

- - End Of File - - 172E6DDBE5678598F4E91D19A3FFA608

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 13th January 2010, 12:08 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 13th January 2010, 2:20 am

It runs alot better, thank you very much. The only other thing is that when I restary my computer or turn it off and on again it brings me to a black boot screen first and asks me what I want to boot off of. Is there a way to turn on an automatic selection for windows xp home edition?

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by Belahzur on 13th January 2010, 4:22 pm

Hello.
The extra option is for booting to the recovery console, it's recommended to keep it that way in case anything goes wrong, you have instant access to the console to try and repair the problem.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Virus Infection - Please Help

Post by pdubb15 on 13th January 2010, 10:53 pm

Okay well then everything is running great. Thank you very much for your time and help!

pdubb15
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-07
OS OS : Windows XP
Points Points : 25406
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum